No matter how sophisticated, high-tech and impenetrable your security system is, you must remember that it’s as strong as its weakest element - which tends to be the human. If your employee has unintentionally connected a flash drive with malicious software, don’t be surprised if the hacker’s already in your system. We can predict the system flaws, find them and fix them, but we cannot predict human behaviour, especially if someone tried to manipulate it in a low-profile, carefully designed attack.
Social Engineering tests are used to assess your employee awareness and test your company’s security protocols. Are there any training or workshops designed to prepare your staff to face malicious tricks? Do employees know how to check links of downloadable files for the safety of their contents? Are they familiar with techniques of concealed adversarial attacks?
Nowadays, social engineering techniques are the easiest way for bad actors to bypass an organization's security infrastructure. The main problem is, that this type of attack is meant to be unrecognized before it’s too late.
To test how vulnerable to the exploit the human element is, tests must aim to cover as many areas and vectors as possible. While conducting the tests CyberForces specialists base on the OSINT (Open Source Intelligence) and their creativity to find entry points. Our primary rule is to think outside the box because that’s what hackers do.
These are some of the techniques we use while trying to breach your security system:
We use tools such as Rubberduck and WiFi Pineapple® to intercept physical network while being invisible to the user and BeEF (The Browser Exploitation Framework Project) to gather access to clients systems.
We sign the Non-Disclosure Agreement.
We interview the client to gather information about the company, comprehend the company’s structure and highlight key employees and assets.
We map easiest gateways, look for exposures using OSINT (for example social media or any public presence). We verify the attack vectors and how to use them in the light of the test.
We talk the scenario through with the client to make it as realistic as possible.
We conduct a simulation of an attack using social engineering techniques, according to the scenario. It can be a physical test “in the field” or internet-based test using for example spearphising.
We prepare a report pinpointing the compromised assets, breach points, uncovered data, business risks and recommend training for employees.
We suggest the security layers that must be augmented to protect against that type of attack, especially real black-hat adversarial attack. We conduct on-demand workshops with client’s employees.
After the right time, we perform retests to verify if the employees are properly educated, the vectors of the previous attack are fixed and try other paths to break into the company’s systems.
Contact us to get
more answers
What is social engineering?
It’s an attack vector used by cybercriminals. A set of manipulation, deceive techniques and methods that attempt to trick users (employees) into revealing vital data or performing actions designated by a hacker, such as clicking a link or downloading an attachment that contents malicious software.
How is a social engineering attack conducted?
After we’ve gathered intel during an interview with a client, we try to pass through its security, then perform an effective social engineering attack of our choice and discuss its consequences in non-test circumstances during a training session.
What is phishing?
It’s a technique involving a large-scale of communications such as emails and text messages, that are broadly used to dragoon users into sharing sensitive data or downloading a disguised malicious software.
What is baiting?
In this specific area, baiting is a trick that cybercriminals use to make users disclose their personal data considering, for example, their account information, social security number and so on. Hackers tend to use fraudulent mass-messages such as offers, forms, security alerts, fake prizes.
How to prevent phishing?
Phishing prevention comes directly from cultivated awareness and sensitivity of suspicious behaviour, certain types of messages received and knowledge of common techniques.
Who can fall a victim to a social engineering attack?
Absolutely everyone. In the digital world, each one of us has access to huge amounts of data. Every information is valuable, and every hacker is driven by gain. And think of all the data any company possess. If you think you’re too small of an organization to be attacked, you just make it easier by neglecting your defences. Train your employees and always keep your finger on pulse.
Quote your project
